HTML/FilecoderPhobos.NT!tr.ransom

Analysis

HTML/FilecoderPhobos.NT!tr.ransom is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as HTML/FilecoderPhobos.NT!tr.ransom may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This ransom note is associated with the Phobos ransomware family. The note is dropped onto the victim's desktop and affected directories during the execution of the ransomware. The note informs the user of the encrypted data and directs the user to make contact with the attacker via email for payment and decryption. Affected users are discouraged on taking this action as it does not guarantee the retrieval of data upon payment.


• Below are images of the ransom note:
  

  Figure 1: Variations of the ransom note.

  
  


• Following are some of the exact file hashes associated with this detection:
  
  • Md5: 0cf70f86435a55a4d28231050a95f070
    Sha256: a2d985fac6797a629c7186b85ccda8272292ea91185215c67b50dc202cadf849
  • Md5: 7c75a4c89fb34eb663147bda5ea112cf
    Sha256: 12c7e0e8f2aa436cc2aab74fd4c53461dc4ad5095c938897f850dd755021597d
  • Md5: 96fb14061d33bc344bb3215da1ffb9f4
    Sha256: 71f24e4fb633f2231db4e77e0db78ff063875e73f9c3aa055cb07efddbbe7b7f
  • Md5: 596b8eee40e9094841d6dbb7f178ca59
    Sha256: 337f5469d9cb81da18408bc064bd187d94dc59812499d94c2ce09105deaeb1e0
  • Md5: a25faedd13f3ce3857323cedfa804784
    Sha256: e2023dfff9582543fd8d6fc14cc8dc5cb8ac07032b2a4b82c808bbbadaefbae7

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.